## **Logical Methods**

in

## Automated Hardware and Software Verification



www.georg.weissenbacher.name



## Education:

- Sept. Doctor of Philosophy
- 2010 University of Oxford
- 2003 **Diplom-Ingenieur** TU Graz (Telematik)





## Research positions: (before TU Wien)

- 2010 to Princeton University2012 Postdoctoral Research Associate
- 2005 to ETH Zürich
- 2010 Research Assistant
- 2003 & Microsoft Research
- 2008 Summer Intern
- 2004 to Austrian Institute of Technology
- 2005 Software Engineer





Research

Teaching Experience (before TU Wien)

### 2011 Lecturer, Princeton University

 Automated Verification & Software Model Checking

2005 to Teaching Assistant, ETHZ2010

- Digitaltechnik
- Formal Verification



Digitaltechnik

#### **Teaching Experience**





#### **Teaching Experience**





4

## 184.741 Programm- und Systemverifikation

(comments from 2013-2015; 90 bachelor students)

Die Vorträge von Prof. Weissenbacher waren **großartig**. Großes Kompliment an Sie. Ich habe bisher keinen so angenehmen Vortragenden erlebt. Es war immer spannend und interessant.

Ich hätte mir im Vorhinein nicht gedacht, dass es so interessant wird, aber ich war **sehr positiv überrascht**. sehr gute Folien und toller Vortragsstil (besonders Georg Weißenbacher)

die netten und kompetenten Vorträge der Vortragenden Georg Weissenbacher und Josef Widder; der makellose englische Akzent des Vortragenden Georg Weissenbacher (wahrlich eine Wohltat für die Ohren)

... war die Lehrveranstaltung, ihre Organisation betreffend, wirklich vorbildhaft. Vor allem die Erreichbarkeit des Lehrveranstaltungsteams (TISS-Forum) war **überdurchschnittlich gut**.

## Funding & Projects

| 2011 | Vienna Research Group for Young Investigators<br>"Heisenbugs: From Detection to Explanation"<br>WWTF Funding: EUR 1.5m                               |
|------|------------------------------------------------------------------------------------------------------------------------------------------------------|
| 2014 | FWF Doctoral College<br>"Logical Methods in Computer Science"<br>Co-author of proposal, board member<br>FWF Overall Funding: 2.8m (15 PhD positions) |
| 2015 | <b>RiSE Research Network</b><br>Principal Investigator<br>FWF Overall Funding: 3.6m, FORSYTE share: 625k                                             |
| 2016 | Microsoft European PhD Scholarship<br>Funding: 110k                                                                                                  |



### **Academic Service**

## Event organization:







LOVE'16 spring school



Interpolation Workshop '13-15

#### Informatiktag'15

FMCAD Student Forum '15



## PC membership:

- Conference co-chair: FMCAD '17 (TU Wien), CAV '18
- Conference PC: CAV '13-'15; ICCAD '15-'16; FMCAD '13-'15;
- Workshop PC: DUHDe '15; CREST '15; SMT '14; SV-COMP '12, ...

#### What happened since I arrived at TU Wien...



### **Toyota Prius**

(New York Times, Feb. 12, 2014) Toyota Motor is recalling all of the 1.9 million newest-generation Prius vehicles it has sold worldwide because of a programming error ...

#### What happened since I arrived at TU Wien...



#### **Toyota Prius**

(New York Times, Feb. 12, 2014) Toyota Motor is recalling all of the 1.9 million newest-generation Prius vehicles it has sold worldwide because of a programming error ...

#### **Heathrow Airport**

(The Guardian, December 2014) An unprecedented systems failure was responsible for the air traffic control chaos [...] "In this instance a transition between the two states caused a failure in the system which has not been seen before," ...





#### Lufthansa Airbus A321

(Spiegel, March 20, 2015) Beinahe wäre ein Airbus A321 der Lufthansa mit 109 Passagieren auf dem Flug von Bilbao nach München abgestürzt – irregeleitete Bordcomputer hatten die Kontrolle übernommen.



## Lufthansa Airbus A321

(Spiegel, March 20, 2015) Beinahe wäre ein Airbus A321 der Lufthansa mit 109 Passagieren auf dem Flug von Bilbao nach München abgestürzt – irregeleitete Bordcomputer hatten die Kontrolle übernommen.

#### **Boeing 787 Dreamliner**

(The Guardian, May 2015) The US air safety authority has issued a warning and maintenance order over a software bug that causes a complete electric shutdown of Boeing's 787...





## **Heartbleed Bug**

(CNN, April 9, 2014)

A major online security vulnerability dubbed "Heartbleed" could put your personal information at risk, including passwords, credit card information and e-mails.



## **Heartbleed Bug**

(CNN, April 9, 2014)

A major online security vulnerability dubbed "Heartbleed" could put your personal information at risk, including passwords, credit card information and e-mails.



in 184.741 (P&SV)



## **Heartbleed Bug**

(CNN, April 9, 2014)

A major online security vulnerability dubbed "Heartbleed" could put your personal information at risk, including passwords, credit card information and e-mails.



in 184.741 (P&SV)

## **Rowhammer Bug**

(InfoWorld, March 9, 2015) ... with certain varieties of DRAM an attacker can create privilege escalations by simply repeatedly accessing a given row of memory.





## Software and integrated circuits are everywhere



#### Software and integrated circuits are everywhere





## 10<sup>6</sup> lines of code

### 70 micro-processors

## Huge Effort Spent on V&V





#### Software verification

50% of development time

[Myers 1979-2012]

## Hardware validation 35% of development time [Abramovici 2006]







Finding bugs





Finding bugs



Locating faults





Finding bugs



Locating faults

#### Automated Verification



Scalable Software Model Checking [CAV'14]



Efficient Detection of "Deep" Bugs [FMSD'15] (CAV'13), [FM'15]



Fault Localization in Post-Silicon [ICCAD'14]

## My Habilitation



Logical foundations [JAR'16] (single auth. SAT'12)



State-of-the-Art [Proc. IEEE'15]

# Model Checking 101

# Logic





## (transitions)

Т

# Т



































State Space Explosion

Why explore states one by one?



Why explore states one by one?



Why explore states one by one?



$$egin{array}{rcl} S' &=& \mathit{T}(\mathcal{S}) \stackrel{ ext{def}}{=} \{ s' \,|\, \mathit{T}(s,s') \wedge s \in \mathcal{S} \} \end{array}$$



How do we efficiently represent sets of states?

### **Logical Formulas!**

program variables, registers, latches, signals, ... How do we efficiently represent sets of states?

## **Logical Formulas!**

F(V) program variables, registers, latches, signals, ... How do we efficiently represent sets of states?

### **Logical Formulas!**

$$(x > 0)$$
 represents  $\{s \mid s(x) > 0\}$ 

And what about transitions?

# **Binary Relations!**

 $T(V, \underline{V'})$ target states

And what about transitions?

## **Binary Relations!**

$$(x' = x + 1)$$
 represents  $\{\langle s, s' \rangle | s'(x) = s(x) + 1\}$ 

And what about transitions?

#### **Binary Relations!**

$$\underbrace{(x'=x+1)}_{x++}$$
 represents  $\{\langle s,s'\rangle \,|\, s'(x)=s(x)+1\}$ 



R



#### $R'(V') \stackrel{\text{\tiny def}}{=} \exists V . R(V) \land T(V,V')$





#### (transition relation)

Т



#### (transition relation)

Т



(transition relation)

1: if 
$$(x>0)$$
  
2:  $x = x - 1$ ;  
3: else  
4:  $x = x + 1$ ;  
5: assert  $(x\geq 0)$ ;  
 $T(\langle pc, x \rangle, \langle pc', x' \rangle)$ 

1: if (x>0)  
2: 
$$x = x - 1;$$
  
3: else  
4:  $x = x + 1;$   
5: assert (x≥0);  
 $T(\langle pc, x \rangle, \langle pc', x' \rangle) \stackrel{\text{def}}{=}$ 

$$\bigwedge \left( \begin{array}{ccc} (pc=1) & \wedge & (x>0) \\ \end{array} \right) \Rightarrow (pc'=2) & \wedge & (x'=x) \\ \end{array} \right)$$

1: if 
$$(x>0)$$
  
2:  $x = x - 1;$   
3: else  
4:  $x = x + 1;$   
5: assert  $(x\geq 0);$   
 $T(\langle pc, x \rangle, \langle pc', x' \rangle) \stackrel{\text{def}}{=}$ 

$$\bigwedge \left( \begin{array}{ccc} (pc=1) & \wedge & (x>0) \\ (pc=1) & \wedge & \neg(x>0) \end{array} \right) \Rightarrow (pc'=2) & \wedge & (x'=x) \\ (pc=1) & \wedge & \neg(x>0) \end{array} \Rightarrow (pc'=4) & \wedge & (x'=x) \end{array} \right)$$

$$\bigwedge \left( \begin{array}{ccc} (pc=1) & \wedge & (x>0) \\ (pc=1) & \wedge & \neg(x>0) \end{array} \right) \Rightarrow (pc'=2) & \wedge & (x'=x) \\ (pc=2) & \Rightarrow & (pc'=5) & \wedge & (x'=x-1) \end{array} \right)$$

1: if 
$$(x>0)$$
  
2:  $x = x - 1;$   
3: else  
4:  $x = x + 1;$   
5: assert  $(x\geq 0);$   
 $T(\langle pc, x \rangle, \langle pc', x' \rangle) \stackrel{\text{def}}{=}$ 

$$\bigwedge \begin{pmatrix} (pc=1) \land (x>0) \Rightarrow (pc'=2) \land (x'=x) \\ (pc=1) \land \neg (x>0) \Rightarrow (pc'=4) \land (x'=x) \\ (pc=2) \Rightarrow (pc'=5) \land (x'=x-1) \\ (pc=4) \Rightarrow (pc'=5) \land (x'=x+1) \end{pmatrix}$$

1: if 
$$(x>0)$$
  
2:  $x = x - 1;$   
3: else  
4:  $x = x + 1;$   
5: assert  $(x \ge 0);$   
 $T(\langle pc, x \rangle, \langle pc', x' \rangle) \stackrel{\text{def}}{=}$ 

$$\bigwedge \begin{pmatrix} (pc=1) \land (x>0) \Rightarrow (pc'=2) \land (x'=x) \\ (pc=1) \land \neg (x>0) \Rightarrow (pc'=4) \land (x'=x) \\ (pc=2) \Rightarrow (pc'=5) \land (x'=x-1) \\ (pc=4) \Rightarrow (pc'=5) \land (x'=x+1) \end{pmatrix}$$

$$\begin{array}{ll} P(V) & \stackrel{\text{def}}{=} & (pc=5) \Rightarrow (x \geq 0) \\ I(V) & \stackrel{\text{def}}{=} & (pc=1) \end{array}$$









$$I(V_0) \wedge \left( \bigwedge_{i=1}^k T(V_{i-1}, V_i) \right) \wedge \neg P(V_k)$$

"Can property *P* be violated in *k* steps?" (here, property = assertion over variables)







 $T^{\langle 4 
angle}$ 



 $T^{\langle n \rangle}$ 

 $\exists n \in \mathbb{N}$ . i' = i + n

$$\exists n \in \mathbb{N}$$
. i' = i + n



 $\exists n \in \mathbb{N}$ . i' = i + n



•  $T^{\langle n \rangle}$  is *accelerated* version of *T*:



- computable if  $T^{\langle n \rangle}$  is Presburger-definable (for instance)
  - but not computable in general







$$R_{\leq k} = \bigcup_{i=0}^{k} R_i \quad (\text{with } R_0 \stackrel{\text{\tiny def}}{=} I)$$



$$R_{\leq k} = igcup_{i=0}^k R_i \quad ( ext{with } R_0 \stackrel{ ext{def}}{=} I)$$

## • "Fixed point" if T cannot escape $R_{\leq k}$





 $\blacksquare R_{\leq k} \text{ contains } I$ 



- $\blacksquare R_{\leq k} \text{ contains } I$
- T cannot leave  $R_{\leq k}$



- $\blacksquare R_{\leq k} \text{ contains } I$
- T cannot leave  $R_{\leq k}$
- $\blacksquare R_{\leq k} \text{ does not overlap with } \neg P$



- $\blacksquare R_{\leq k} \text{ contains } I$
- T cannot leave  $R_{\leq k}$
- $\blacksquare R_{\leq k} \text{ does not overlap with } \neg P$

 $R_{\leq k}$  challenging to find for *concrete industrial-size* systems















## abstract concrete





## abstract concrete





































# Model Checking in Practice



(like linear programming, but for first-order/propositional logic)

# **Satisfiability Solvers**



# **PicoSAT Boolector Lingeling**

- Satisfiability of First-Order/Propositional Logic
- Solve large instances with *hundreds of thousands of variables*
- Cornerstone of modern-day formal verification

# Automated Verification in Industry



## What we want to verify:





## What we want to verify:



What we can verify:



#### What we want to verify:



What we can verify:



My research: Push the Boundary



Scalable Software Model Checking [CAV'14]



Efficient Detection of "Deep" Bugs [FMSD'15] (CAV'13), [FM'15]



Fault Localization in Post-Silicon [ICCAD'14]

## My Habilitation



Logical foundations [JAR'16] (single auth. SAT'12)



State-of-the-Art [Proc. IEEE'15]





#### State-of-the-Art

Schlaipfer, Weissenbacher: Labelled Interpolation Systems for Hyper-Resolution, Clausal, and Local Proofs. Journal of Automated Reasoning '16 Vizel, Weissenbacher, Malik: Boolean Satisfiability Solvers and Their Applications in Model Checking. Proceedings of the IEEE '15



Exact reachability retards convergence



Exact reachability retards convergence

■ Over-approximate *R<sub>i</sub>* instead?

# **Craig's Interpolation Theorem**





# **Craig's Interpolation Theorem**





C "simpler" than A

# **Craig's Interpolation Theorem**





C "simpler" than A

 $if (A(V, V') \land B(V', V'') \models \bot)$   $\downarrow \\ \exists C(V')$ s.t.  $A(V, V') \models C(V')$   $B(V', V'') \models \neg C(V')$ 









#### Interpolation-based Hardware Model Checking [Proc. IEEE'15]



$$\underbrace{\frac{I(V) \land T(V, V')}{A(V, V')}}_{Q(V, V')} \qquad \underbrace{\neg P(V')}_{B(V')}$$
$$\downarrow$$
$$C(V')$$

#### Interpolation-based Hardware Model Checking [Proc. IEEE'15]



$$\underbrace{\frac{I(V) \land T(V, V')}{A(V, V')}}_{Q(V, V')} \qquad \underbrace{\neg P(V')}_{B(V')}$$
$$\downarrow$$
$$\bigcup_{C(V')}$$

Interpolants from Propositional/First-Order Refutation Proofs





Interpolants from Propositional/First-Order Refutation Proofs





Interpolants from Propositional/First-Order Refutation Proofs





Interpolants from Propositional/First-Order Refutation Proofs





Interpolants from Propositional/First-Order Refutation Proofs





Interpolants from Propositional/First-Order Refutation Proofs



Systematic variation of logical strength and structure



Most general (propositional) interpolation algorithm to date



Scalable Software Model Checking

Birgmeier, Bradley, Weissenbacher: *Counterexample to Induction-Guided Abstraction-Refinement (CTIGAR).* Conference on Computer Aided Verification (CAV), 2014

Based on IC3, the leading hardware model checking algorithm

- $\blacksquare$  state space in software is much larger or  $\infty$ 
  - therefore, we need *abstraction*



IC3 refines approximations by eliminating unreachable states



IC3 refines approximations by eliminating unreachable states
 in software, concrete-state refinement strategy not efficient







- Abstraction may introduce new predecessor
  - thwarts proof that bad state is unreachable



- Abstraction may introduce new predecessor
  - thwarts proof that bad state is unreachable
- CEGAR refinement requires *full* counterexample trace
  - in IC3, only single step available!



- Abstraction may introduce new predecessor
  - thwarts proof that bad state is unreachable
- CEGAR refinement requires *full* counterexample trace
  - in IC3, only single step available!
- Our approach combines CEGAR and IC3
  - single-step refinement based on interpolation



- Abstraction may introduce new predecessor
  - thwarts proof that bad state is unreachable
- CEGAR refinement requires *full* counterexample trace
  - in IC3, only single step available!
- Our approach combines CEGAR and IC3
  - single-step refinement based on interpolation

- Our *prototype* tool successfully verifies more programs than winner of the 2014 Software Verification Competition
- New implementation for parallel software competed in Software Verification Competition '16
  - 4<sup>th</sup> in parallel software category
  - first 3 tools do bug-finding exclusively



Efficient Detection of "Deep" Bugs

Daniel Kroening, Matt Lewis, Georg Weissenbacher: Under-approximating Loops in C Programs for Fast Counterexample Detection. Journal for Formal Methods in Systems Design '15

Daniel Kroening, Matt Lewis, Georg Weissenbacher: *Proving Safety with Trace Automata and Bounded Model Checking.* Conference on Formal Methods '15



## memset(buf, 0, len);



```
void* memset(void *buf, int c, size_t len){
  for(size_t i=0; i<len; i++)
      ((char*)buf)[i]=c;
  return buf;
}</pre>
```



```
void* memset(void *buf, int c, size_t len){
  for(size_t i=0; i<len; <u>i++</u>)
      ((char*)buf)[i]=c;
  return buf;
}
```

 $\blacksquare$  size\_t i: 0  $\leq$  i  $\leq$  INT\_MAX

 $\blacksquare$  but "standard" acceleration assumes i  $\in \mathbb{N}!$ 

- $\blacksquare$  size\_t i: 0  $\leq$  i  $\leq$  INT\_MAX
- $\blacksquare$  but "standard" acceleration assumes i  $\in \mathbb{N}!$

$$i = i + n$$
 for  $n > (INT_MAX - i)$ :



(arithmetic overflow)

- $\blacksquare$  size\_t i: 0  $\leq$  i  $\leq$  INT\_MAX
- $\blacksquare$  but "standard" acceleration assumes i  $\in \mathbb{N}!$

$$i = i + n$$
 for  $n > (INT_MAX - i)$ :



(arithmetic overflow)

- Off-the-shelf acceleration can
  - miss bugs
  - result in false positives

■ Off-the-shelf acceleration does not support arrays

- Off-the-shelf acceleration does not support arrays
- but content of buf matters in memset(buf, 0, len):

#### Acceleration for Bit-vectors & Arrays [FMSD'15]

We support bit-vectors

$$\exists n \leq (\texttt{INT\_MAX} - \texttt{i}) \, . \, \texttt{i}' = \texttt{i} + n$$

as well as arrays

$$egin{array}{l} orall j \leq n \, . \, \mathtt{buf}'[\mathtt{i}+j] = m{c} & \wedge \ orall j > n \, . \, \mathtt{buf}'[\mathtt{i}+j] = \mathtt{buf}[\mathtt{i}+j] \end{pmatrix}$$

#### Acceleration for Bit-vectors & Arrays [FMSD'15]

We support bit-vectors

$$\exists n \leq (\texttt{INT}_MAX - i) . i' = i + n$$

as well as arrays

$$egin{pmatrix} orall j \leq n \, . \, \texttt{buf}'[\texttt{i}+j] = c & \land \ orall j > n \, . \, \texttt{buf}'[\texttt{i}+j] = \texttt{buf}[\texttt{i}+j] \end{pmatrix}$$

Detection of deep bugs (e.g., buffer-overflows) in C programs

- on real GNU systems programs (e.g., Aeon web-server)
- runtime does not depend on number of loop iterations



#### Acceleration for Proving Correctness [FM'15]

- BMC checks whether "no more steps" feasible
- Clashes with acceleration; there are always additional steps:



#### Acceleration for Proving Correctness [FM'15]

- BMC checks whether "no more steps" feasible
- Clashes with acceleration; there are always additional steps:



we use automata to eliminate "redundant" acceleration steps



"Look ma, no fixpoints!"

# Hardware (Integrated Circuits)





#### Fault Localization in Post-Silicon

Zhu, Weissenbacher, Malik:

Silicon fault diagnosis using sequence interpolation with backbones. International Conference on Computer-Aided Design '14







# Verified "Golden" Hardware Model

(transition relation T)

VS.



(silicon prototype)

#### **Electrical Faults**

#### Manufacturing process can introduce

. . .



- stuck-at faults
- bridging faults
- transistor faults



crashes in state f

but T does not reflect electrical faults



crashes in state f

but T does not reflect electrical faults



### Verification task:

■ Which gate in which execution cycle causes the discrepancy?

### Challenge:

- On-chip at-speed executions can be extremely long
- States in integrated circuit not fully observable

## Verification task:

■ Which *gate* in which execution *cycle* causes the discrepancy? Challenge:

- On-chip at-speed executions can be extremely long
- States in integrated circuit not fully observable

## Solution:

■ Use interpolation to analyze windows of cycles individually



## Verification task:

■ Which *gate* in which execution *cycle* causes the discrepancy? Challenge:

- On-chip at-speed executions can be extremely long
- States in integrated circuit not fully observable

# Solution:

■ Use interpolation to analyze windows of cycles individually



## Verification task:

■ Which *gate* in which execution *cycle* causes the discrepancy? Challenge:

- On-chip at-speed executions can be extremely long
- States in integrated circuit not fully observable

Solution:

■ Use interpolation to analyze windows of cycles individually



- Scalable fault diagnosis for post-silicon
- Evaluated on micro-controller designs 68HC05 and 8051







Scalable Software Model Checking [CAV'14]



Efficient Detection of "Deep" Bugs [FMSD'15] (CAV'13), [FM'15]



Fault Localization in Post-Silicon [ICCAD'14]

# **Thank You**



Logical foundations [JAR'16] (single auth. SAT'12)



State-of-the-Art [Proc. IEEE'15]